IGEL Furthers Product Security with Meltdown and Spectre Fix

(The following post includes new updates as of 2/2/2018)

IGEL has acted quickly in response to the recently disclosed Meltdown and Spectre vulnerabilities with fixes released today.

As background, Meltdown and Spectre affect computer processors, with Meltdown (CVE-2017-5754, critical) affecting Intel CPUs only, and Spectre (CVE-2017-5753 and CVE-2017-5715, high) affecting processors from Intel, AMD and ARM. These vulnerabilities may allow software to read information from other programs and the operating system that they shouldn’t be able to access, for example passwords.

Today IGEL releases fixed firmware images and updates. IGEL strongly recommends updating your devices to these. Note: Any information provided does not release the customer from their obligation to test system modifications in advance. New firmware must always be tested in advance.

The following fixed versions are available for download at https://www.igel.com/software-downloads/

• Partial Update for WES7 and WES7+ with fixes for Meltdown and Spectre (CVE-2017-5754, CVE-2017-5715, CVE-2017-5753) and mitigations for Internet Explorer
• Windows 10 IoT Enterprise Private Build 4.01.140 with fixes for Meltdown and Spectre (CVE-2017-5754, CVE-2017-5715, CVE-2017-5753) and mitigations for Internet Explorer
• IGEL OS 10 Private Build 10.03.550 with fixes for Meltdown (CVE-2017-5754) and Spectre version 2 (CVE-2017-5715), Firefox ESR 52.5 is not affected
  • LX (for UD-LX devices)
  • OS (for UDC3-converted devices and UD Pocket)

The IGEL OS 10 Private Build 10.03.550 has been successfully tested on all IGEL UD-LX devices:

• IZ2-RFX, IZ2-HDX, IZ2-HORIZON
• IZ3-RFX, IZ3-HDX, IZ3-HORIZON
• UD2-LX 40
• UD3-LX 50, UD3-LX 42, UD3-LX 41, UD3-LX 40
• UD5-LX 50, UD5-LX 40
• UD6-LX 51
• UD9-LX Touch 41, UD9-LX 40
• UD10-LX Touch 10, UD10-LX 10

… and on the following 3rd-party devices:

• Acer Veriton
• Advantech-DLoG DLT-V6210
• Advantech-DLoG DLT-V7210 R
• Dell Wyse D10DP
• Dell Wyse D50D
• Dell Wyse Z90Q7
• Lenovo Tiny M600
• Fujitsu Futro X913
• Fujitsu Futro X923
• Lenovo M600
• Toshiba Portege X20W-D-11N

NEW: As of 2/2/2018 the new release contains the Kernel Page Table Isolation (KPTI) patch for the Linux Kernel which fixes Meltdown (CVE-2017-5754). Intel has withdrawn its processor microcode updates intended to mitigate the Spectre variant 2 vulnerability (CVE-2017-5715) because of undesirable side-effects that have been seen on some systems. IGEL has removed these microcode updates from IGEL OS as recommended by Intel. Apart from that, the IGEL OS kernel has received fixes for a dozen other vulnerabilities, details can be found in the release notes.

Mozilla Firefox has been updated to protect users from a side-channel attack that uses Spectre and from a number of other vulnerabilities. The default SMB version in IGEL OS 10 has been changed from 1.0 to 2.0 for security reasons. However, administrators can still set another version if desired. We recommend updating your devices.

The following fixed versions are available for download:

• IGEL OS 10.03.570 (LX) for updating IGEL UD-LX devices
• IGEL OS 10.03.570 (OS) for updating UD Pocket und 3rd-party devices converted with UDC3

Information about IGEL Linux 5:

Currently, there is no fix for IGEL Linux 5, as the Linux Kernel developers have not integrated measures against Meltdown into the 32-bit version of the kernel. This affects IGEL Linux 5 and all other 32-bit Linux systems on the market. Currently there is no Meltdown fix in the 32-bit mainline Linux Kernel, but it may become available later. In the meantime, protection from the vulnerabilities can be provided via microcode updates from the processor vendors. IGEL will integrate these as soon as they become available.

However, the Mozilla Firefox web browser in IGEL Linux 5 is not vulnerable to the JavaScript attack in the Proof-of-Concept, as it does not have the required high-resolution timers. Apart from that, removing the local browser is always a measure that improves device security, as it is often used for remote attacks. Learn how to do it at http://edocs.igel.com/index.htm#13934.htm. Also, Appliance Mode limits the parts of the system that users can access, further reducing the attack surface: http://edocs.igel.com/index.htm#13944.htm.

Further Windows Information:

Windows devices will also need microcode updates for a complete fix of Spectre.  IGEL will deliver these as soon as they become available.

It is our commitment to deliver the most resilient and secure endpoint security and optimization solutions possible. We will continue to pursue every avenue to deliver on this commitment so that our customers can be assured every protection for their IGEL-enabled end user computing devices. If you have any questions about these vulnerability fixes, please contact IGEL support here: https://www.igel.com/submit-a-ticket/.